[Last Call] Learn how to a build a cloud-first strategyRegister Now


What to do with AD published certificates when decommissioning a CA?

Posted on 2010-01-04
Medium Priority
Last Modified: 2012-05-08
Decommissioning a poorly maintained Windows 2003 Enterprise Root CA and its subordinate CA in preparation for replacing it with a brand new Windows 2008 AD CS based PKI.  Over the years, the old subordinate CA issued quite a few certificates.. most are expired, the rest are easily identifiable.

Prepared to follow instructions in Microsoft KB889250 to remove the CA, but there is no mention of what to do about the certificates that were published into AD.  E-mail admin mentioned that Exchange complains all the time about expired certs when rebuilding the GAL.. got to thinking maybe we need to manually purge those out of the directory too.

Any advice how to carry this out, or if it's even advisable?
Question by:dtadmin
  • 2
LVL 49

Expert Comment

ID: 26176384
If you don't need the certificates that were published from this CA and haven't expired yet then I  see no reason why keeping them published in AD, I know I have deleted certificates from AD from unused CA's many times never had an issue.

hope it helps
LVL 31

Expert Comment

ID: 26181048
When you revoke all of the certificates and publish the CRL, AD should no longer display them.

If there are just a few, you can remove them from AD manually if you really want to beforehand in AD Users & Computers if you View - Advanced then pull up the user accounts and view the certs tab.

Author Comment

ID: 26193090
By what mechanism does a certificate get cleared out of the directory upon revocation?  We've revoked all but a couple certificates that we know we need yet they all still appear to be published under the user accounts.  I'm not sure where to start troubleshooting this.
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 26352596
When AD goes to check the cert, it will not display expired/revoked/otherwise invalid certs.  The DC may still be looking at a cached CRL, or the CA may not have published a new CRL yet.  A new delta CRL may be created on the CA 'certutil -crl delta' which should be fine, otherwise a base CRL could be made (certutil -crl) - or you can do this in the CA MMC rigth click Revoked - all tasks - publish.  There should be a .crl file in system32\certsrv\certenroll folder.

The delta CRL will be looked at more frequently (check the CA MMC - properties of revoked certs folder - to determine settings, including if delta CRLs are supported).  You can copy out the CRL files to the CDP locations defined in the CA properties - extenstions tab.  You could also install on DC directly, manually browsing and checking 'show physical stores' and select trusted root certification authorities - local computer.  Note that if the CRL renewal time is far off (validity period value - renewal value + time last CRL was issued) then you may need to install it manually to override using the cached CRL as it will not look otherwise until the "next update' period comes up.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question